Well the commands "ip http server" and "ip http secure-server" are both in the config and rsa key pairs have been generated.  I get the feeling that when I can plugin to a regular switch port everything will be fine but it would be nice to have web management access through the vrf mgmt fa1 interface : ) 

Thanks!

-S

What is the error message you are getting? try putting ip http authentication local and do not forget to have an username and password configured.

Router(config)# ip http server
Router(config)# ip http secure-server
Router(config)# ip http authentication local
Router(config)# username <username> privilege 15 password 0 <password>

Hi Rakeshvelagala,

  Thank you for the response.  Yes I have all of the following entries in the config.  I do not get an error per se, but the port 80 and port 443 are not accessible from the laptop browser.  The management interface is 192.168.1.254 and the laptop is 192.168.1.99

  Please see attached config.

Thanks!

-S

Here is the ACL list.  I have not made any entries into this list and all of these are default at this time.  Do I need to make an explicit allow ACL for http?

Thanks!

-S

#show access-list
Extended IP access list system-cpp-all-routers-on-subnet
    10 permit ip any host 224.0.0.2
Extended IP access list system-cpp-all-systems-on-subnet
    10 permit ip any host 224.0.0.1
Extended IP access list system-cpp-dhcp-cs
    10 permit udp any eq bootpc any eq bootps
Extended IP access list system-cpp-dhcp-sc
    10 permit udp any eq bootps any eq bootpc
Extended IP access list system-cpp-dhcp-ss
    10 permit udp any eq bootps any eq bootps
Extended IP access list system-cpp-energywise-disc
    10 permit udp any eq any eq 0
Extended IP access list system-cpp-hsrpv2
    10 permit udp any host 224.0.0.102
Extended IP access list system-cpp-igmp
    10 permit igmp any 224.0.0.0 31.255.255.255
Extended IP access list system-cpp-ip-mcast-linklocal
    10 permit ip any 224.0.0.0 0.0.0.255
Extended IP access list system-cpp-ospf
    10 permit ospf any 224.0.0.0 0.0.0.255
Extended IP access list system-cpp-pim
    10 permit pim any 224.0.0.0 0.0.0.255
Extended IP access list system-cpp-ripv2
    10 permit ip any host 224.0.0.9
Extended MAC access list system-cpp-bpdu-range
    permit any 0180.c200.0000 0000.0000.000c
Extended MAC access list system-cpp-cdp
    permit any host 0100.0ccc.cccc
Extended MAC access list system-cpp-cgmp
    permit any host 0100.0cdd.dddd
Extended MAC access list system-cpp-dot1x
    permit any host 0180.c200.0003
Extended MAC access list system-cpp-lldp
    permit any host 0180.c200.000e
Extended MAC access list system-cpp-mcast-cfm
    permit any 0180.c200.0030 0000.0000.000f
Extended MAC access list system-cpp-pppoe-disc
    permit any any protocol-family pppoe-disc
Extended MAC access list system-cpp-sstp
    permit any host 0100.0ccc.cccd
Extended MAC access list system-cpp-ucast-cfm
    permit any host 000d.6558.d5fd

S

Thank you for posting the config and the output of show access list. This does help clarify some things. The web interface has been configured and uses local authentication. There is not any access list configured to restrict access to the web interface. It looks to me like the switch should accept connections on both TCP port 80 and 443. Do you get anything when you attempt to connect from the laptop to the web interface? Any error message or anything?

HTH

Rick

Hi Richard,

   No error, just not able to connect.  I cannot even telnet to port 80 or 443 on the catalyst from laptop which would at least show me the port is open and daemon is up on the interface.  It looks like it is not serving those daemons on those ports for fa1 interface.

   Attached is the wireshark dump of attempting to connect from the laptop to the catalyst http and https.

   I am not quite sure what is going on.  Not sure if http or https servers only serve on regular interfaces or not? (regular switch ports)

Please rename pcapDump.txt to pcapDump.pcapng to view in wireshark.

Thanks for everyones assistance on this!

-S

There was an issue when I tried to open the last pcap file in wireshark.  Please use this one instead and remove the .txt extension and it should load ok.  It looks like the connection gets reset by the catalyst when trying to access http or https on the switch...

Thanks!

-S

Hi Jon,

   I think you are absolutely correct.  I reviewed the document you posted and indeed I did not see http as a supported vrf service.

   I had the client plug my patch cable into gi 2/3 and I assigned an IP address to that interface and I was good to go!  I disabled regular http and now can access and manage the switch through cisco network assistant like I originally wanted.

   Thank you all for your assistance with this.  Still strange to me that cisco would not allow the http management interface on the "management port"! : )

Cheers!

-S

Thanks for getting back to us on this.

I did check the latest IOS version for your switch and it still isn't supported.

I guess the management port is for when it is up and running as opposed to initial configuration.

Jon

Hi 

Can you please run wireshark trace and attach the pcap?

Thanks

S

you tell us that you are working remotely and that your laptop has connection via serial to the switch console and via Ethernet to fa1. So if you are remote how are you accessing the laptop?

You tell us that ping works and that tftp works so the interface must have an IP address configured and operating. The other thing that could impact using the web interface would be whether authentication is configured for the web interface or if an access list is configured to control what source addresses may access the web interface (I have seen some Cisco devices which default to using access list 23 to control this but do not know whether your switches does this). Otherwise I would think that fa1 is intended for management and see no reason why the web interface would not be accessible.

HTH

Rick

Hi Rick,

  I am connected via Team viewer connection to laptop that has wireless access.  This is a new facility and "new" switch so nothing is connected into it yet but this laptop.

  I will double check the access list 23.  Thanks for that.

  I will post the config shortly.

Thanks!

-S